Ok, the title is obviously irony. If you have seen any of my posts you will know how sceptical I am of this management fad called risk appetite. I am actually old enough to remember when consultants started pushing this concept pretending it was both new and useful. Anyway, since the concept is unlikely to disappear any time soon, we might as well use it for our advantage.
You may have seen the new COSO guidance on Understanding and Communicating Risk Appetite by Dr. Larry Rittenberg and Frank Martens. This article is not about that COSO document, which is absolute rubbish. If you want, you can watch my almost page by page review below:
This article is about practical application in non-financial companies.
But first, important caveat. Risk appetite statements in any shape of form are moronic. If you are hoping to learn how to write one in this article you probably shouldn’t be working in risk. No organisation should ever have a risk appetite statement.
10% of the time risk appetite is imposed by laws and regulations, not set
Despite what consultants are telling us, a lot of the time risk appetite is imposed, not set by management. Think of risk appetite as a dog’s leash or boundaries that regulators, stakeholders and government set on the companies.
Examples include zero-tolerances or limits on safety, bribery and corruption, AML, pollution, sanctions, privacy, etc, etc. None of these have to be documented in a risk appetite statement, because there are already existing Board level policies covering this.
Does the risk manager need to do anything here? Probably not.
10% of the time risk appetite is the gentlemen’s agreement between Board and management
Boards have an important oversight role and help them set the direction and boundaries for management decision making. Those management decision making boundaries is risk appetite.
Examples include deal approvals only by Board above a certain limit, limits on holding percentage of cash in certain pre-approved banks, rules on credit limits for certain types of customers, limits on investments in different countries, etc, etc.
Does the risk manager need to do anything here? Probably not. Maybe review how management is tracking against those limits. I once had an interesting case study where the risk manager showed that management was actually not taking enough risk based on the appetite set by the Board. The management ended up significantly changing the investment strategy taking on more risk while still staying below the limit.
80% of the time risk appetite is the risk reward trade-off
This one is my favourite, because the consultants and organisations like COSO are clueless about this most important and useful application.
Check out other risk management books
The two applications above have been around for decades, long before some consultants (it was most likely Oliver Wyman) came up with the name “risk appetite”, and there is not much for the risk managers to do that compliance officers or management hasn’t done anyway. This application on the other hand is very powerful and something risk managers can stuck their teeth into.
The key is making uncertainty around decision making transparent to allow decision makers choose the alternative which offers the most appropriate risk reward balance according to their individual appetites.
One of the common applications can be showing alternative decisions against the efficient frontier (example below)…
…or running simulations to calculate the probability of favourable outcomes (example below) or show target using probabilistic ranges…
… or show how different alternatives have very different risk profiles (example below)
I had an interesting case study on the above many years ago. The first simulation my team has ran showed the probability of success for a given strategy was less than 0,1%. The management immediately said this was not something they were willing to take to the shareholders. So they ended up adjusting their assumptions, changing the strategy, resetting priorities and resource allocation. The new strategy had 70% of success and the management felt comfortable that this was within their risk appetite.
The bad news of course is that to write a risk appetite statement a risk manager doesn’t need any real competencies, anyone could do it. To run simulations and calculate efficient frontier risk managers need strong quants.